Archive for August, 2017

House GOP unveils website criticizing media coverage – The Hill

House Republicans have launched a new website that slams the media for focusing on "chaos" instead of what they see as a productive first 200 days.

The website, "Did You Know," claims that media coverage doesnt focus on the issues important to Americans. It also calls out the press for not writing more about the legislative achievements of the House GOP.

House Republicans aren't distracted by the newest countdown clock on cable news or partisan sniping in Washington, D.C., the website reads. You dont care about those things. You care about finding a good job, taking care of your family, and achieving the American Dream, and so do we.

It comes as President Trump hits his 200th day in office. Speaker Paul RyanPaul RyanGOP debates deep cut to corporate tax rate 5 things members of Congress are doing over August recess Paul Ryan: Intel leaks 'the problem of the leaker, not the journalist' MORE (R-Wis.) had set the 200th day as a bigger marker for Republicans than Trump's first 100 days.

The website features a quiz where readers can answer questions comparing major events in the news, like former FBI Director James Comeys testimony before Congress and the shooting at a congressional baseball practice to legislation the House passed.

"Did you also know that the same week, the House passed bipartisan legislation to combat human trafficking?" one question asks, placing the bill in contrast to reports emerging that Donald TrumpDonald TrumpDemocrats introduce another 'false hope' act to immigrants Caitlyn Jenner apologizes for wearing Make America Great Again hat Conway, ABC host tangle over Trump's involvement in son's statement MORE Jr. met with a Russian lawyer during the Trump campaign with the promise of compromising information on Democratic presidential nominee Hillary ClintonHillary Rodham ClintonClintons attend private screening of 'Wonder Woman' Rosenstein: Trump did not direct feds to investigate Clinton GOP senator: I wish Republicans had stood up to birtherism MORE.

Republicans have so far been unable to win many big legislative achievements despite their control of the government.

The House did pass an ObamaCare repeal-and-replace plan, a big victory for Ryan.

But the bill was dead on arrival in the Senate, which also hit a stalemate on its own healthcarelegislation.

Trump's biggest accomplishment so far is the confirmation of Supreme Court Justice Neil Gorsuch. Trump has also been able to cut back on Obama-era regulations with the help of the House.

Other big agenda items for House Republicans or Trump, including tax reform and an infrastructure plan, have yet to be picked up. Work on tax reform was delayed in part by the long fight over ObamaCare.

Republicans did pass a spending measure earlier this year that kept the government open, but they now must do so again to prevent a shutdown after September.

Another Trump priority backed by Ryan, building a wall on the Mexican border, has been stuck. Some Republicans oppose the wall, but $1.6 billion targeted for its construction has been included in a spending bill for the next fiscal year.

The House GOP website rips the media's coverage of Trump, arguing its focus on investigations into Russia have unfairly overshadowed legislative work.

House Republicans are focused on what matters to you, the ad states.

See the original post here:
House GOP unveils website criticizing media coverage - The Hill

With IPO plans, China’s hipster social network Douban turns pragmatic – TechNode (blog)

Doubana Chinese social networking service that focuses on film, music, and booksrevealedon August 5 that its plans to go public overseas wouldbring in cash flow necessaryfor its product linesto run on independent budgets. The email did not mention which overseas market the company planned to list on.

The announcement comes from aleakedinternal email(in Chinese) that founder and CEO Yang Bo (more widely known as Ah Bei) sent to hisemployees, calling for a pragmatic pivotfor the company. A person familiar with the matter has confirmed the authenticity of the email to TechNode.

Ah Bei said in the email thatthe waning, profit losingproducts includingDongxi, a product once with high financialexpectations,will be terminated. A new content business group, centered around its first paid content feature Douban Time,will launch with the focus on generating revenue.

Founded in 2005, Douban has long adopteda self-described slow approach to its business modelagainst todayscurrents. Coupled with the sites focuson books, music, and movie reviews, Douban is widely known as a haven for Chinas utopianhipsters. Over the years ithas dabbled inseveral monetization attempts with fewsignificant outcomes. AlphaTown, avirtual city developed with the aim to make money from e-commerce and online gaming, shut down in 2015 after five years of operation.

As of 2016, Douban has accumulated 150 million registered users and 300 million monthly active users, Caixin reports.Its a much less sticky app, however, compared to other Chinese social networking giants. Basedona report by China Internet Network Information Center (CNNIC), Doubans usage rate (percentage of users who used the app in the last six months) in 2017 is 8.6%, compared to Weibos 38.7% and WeChats 84.3%.

Doubans last funding round was a$50 million Series C in September 2011.

Telling the uncommon China stories through tech. I can be reached at ritaliao [at] technode [dot] com.

See the original post here:
With IPO plans, China's hipster social network Douban turns pragmatic - TechNode (blog)

The Fourth Amendment’s Digital Update – The Daily Caller

The Fourth Amendment has protected our right to privacy since its ratification in 1791. Thetextof the amendment reads, the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, but how well do these protections hold up in the digital age?

Today, most of us are typing emails on our laptops, not scribbling a letter with a quill and inkwell. Therefore, its important to ensure our sensitive, digital communications are well-protected. Clearly, the Fourth Amendment transcends time and technological change, but some sinister players are pretending otherwise.

Currently, under theElectronic Communications Privacy Act(ECPA), the United States federal government may seize any citizens private email communicationswithout a warrant, provided they are over 180 days old. By law, these older emails are not considered privy to a reasonable expectation of privacy under the ECPAsSection 2703(a).

Even worse, the ECPA was enacted in 1986, years before email usage was even widespread. However, the 180-day rule doesnt just apply to emailsevery Americans texts, GroupMe chats, and Facebook messages are fair game too.

Its time to modernize the Fourth Amendment to protect our online communications, and bipartisanThe Email Privacy Act, re-introduced by Reps. Kevin Yoder (R-KS) and Jared Polis (D-CO), does just that. Namely, the Email Privacy Act would require all government agencies to acquire a warrant before accessing any online communications over 180 days oldjust like any other private documents.

In the era of cloud technology, communications could be stored on enormous server, conceivably forever. More and more, our sensitive financial, relational, and personal details exist online, making their security absolutely essential.

The ECPA is problematic in other areas as well. In December of 2013, federal law enforcement sought asearch warrantfor Microsoft customers email account as a component of a criminal narcotics investigation. Microsoft complied up until a point, but there was one big problemthe actual emails were stored overseas.

Microsoft refused to turn the emails over, and was held in civil contempt by the district court. Three years later, however, the Second Circuit Court of Appeals ruled against the federal government, expressing that companies cannot be compelled to release customer emails stored outside the United States.

We conclude that 2703 of the Stored Communications Act does not authorize courts to issue and enforce against USbased service providers warrants for the seizure of customer email content that is stored exclusively on foreign servers, the courtruled.

TheInternational Communications Privacy Act (ICPA) is one potential solution to this issue, creating, a legal framework that clarifies the ability of law enforcement to obtain electronic communication of U.S. citizens, no matter where the person or the communications are located.

Additionally, the ICPA would allow law enforcement to obtain communications from foreign nationals, in consistency with international law. Sponsored by Senators Orrin Hatch (R-UT), Chris Coons (D-DE), and Dean Heller (R-NV), the bipartisan legislation would remedy this complex problem.

The International Communications Privacy Act aids law enforcement while safeguarding consumer privacy, striking amuch-needed balance in todays data-driven economy, Senator Hatchstated. Clearly, Americans can no longer be complacent about their privacy protections. In a digital age of prying eyes, the consequences of privacy violations can be costly, and long-lasting.

On June 23rd, the Department of Justiceapplied to take the Microsoft case to the Supreme Court, but Congress shouldnt wait for the court to take action. Passing the ICPA and other meaningful reform is too important to wait, when innocent Americans are being caught in the crossfire.

One way or another, its time to give the Fourth Amendment a sorely needed update.

See the original post here:
The Fourth Amendment's Digital Update - The Daily Caller

Congress must act to protect data privacy before courts make surveillance even easier – The Hill (blog)

The Fourth Amendment was established in a time when privacy expectations could be articulated through a simple maxim that every mans home is his castle. In the 21st century, however, our most private information is often guarded not by walls or with a key, but by the companies Microsoft, Verizon, and the like that provide us with access to the data cloud.

In a perfect world, the technologies of today would be met with the same principles that were laid out in the Fourth Amendment by our founders. Unfortunately, that is easier said than done. Technology has added lots of complications, and we are left trying to figure out what a reasonable search is in the age of the data cloud.

Much of the doctrine of the Fourth Amendment is based on definitions that are ill-equipped for dealing with challenges in the era of cloud computing. For instance, do emails, location information, and other data and documents stored in the cloud fall within the Fourth Amendments protection of The right of the people to be secure in their persons, houses, papers, and effects?

Moreover, lack of notice to the person whose property is being searched has become a big problem in the digital era. Traditional searches of one's home or car are, as a practical matter, difficult to keep secret from the propertys owner. In contrast, absent legal protections, it is easy for the government to search electronic data that is held by a third party without the owner of the data ever finding out about it, assuming the government has the cooperation of the third party.

That is just one of several ways in which the third-party doctrine, which holds that people who voluntarily convey information to a third-party such as a bank or a telephone company have no reasonable expectation of privacy in the information conveyed, results in a gaping hole in Fourth Amendment protections in this new age. When applied to the data cloud, this relatively narrow third-party exception granted to law enforcement becomes a broad license for the government to monitor virtually all the data we transmit in our day-to-day lives.

One would have to virtually opt out of our high-tech society to evade this license. That should not be a required trade-off for enjoying the protections of the Fourth Amendment, especially when the government has lawful alternatives for achieving its law enforcement needs.

Then again, if an entire class of technology needs to be exempt from a legal doctrine, there may be a problem with the doctrine itself. At the end of the day, it may be that the third-party doctrine has become irreconcilable with the Fourth Amendment and needs to be discarded. However, it is highly unlikely that the Supreme Court will go that far anytime soon.

The ECPA Modernization Act is a laudable effort to strengthen the warrant requirements for third-party data collection and guard the Constitutional right to due process when digital property is being searched. With the modernization act pending in the Senate andUnited States v. Carpenterpending in the Supreme Court, there is new hope that our institutions will succeed in applying the founders Fourth Amendment principles to the brave new high-tech world.

The views expressed by contributors are their own and are not the views of The Hill.

Read more:
Congress must act to protect data privacy before courts make surveillance even easier - The Hill (blog)

Separating NSA and CYBERCOM? Be Careful When Reading the GAO Report – Lawfare (blog)

The Government Accountability Office last week published a report that, among other things, weighs in on the pros and cons the NSA/CYBERCOM dual-hat system (pursuant to which the Director of NSA/CSS and Commander of CYBERCOM are the same person). The report deserves attention, but also some criticism and context. Heres a bit of all three.

1. What is the dual-hat issue?

If you are new to the dual-hat issue, or in any event if youve not closely followed the developments of the past year, please read this recent post for an introduction and overview.

2. What was GAOs bottom line? Did they recommend keeping or abolishing the dual-hat?

Neither. The report does not purport to answer that question. It is, instead, no more no less than an attempt to convey the DOD perspective (and only the DOD perspective) on the pros and cons of keeping the dual-hat structure (as well as identifying some mitigation steps).

3. What method did GAO use to determine DODs perspective?

GAO did three things:

a. It reviewed documents previously generated by CYBERCOM and by the Joint Staff to educate their own leadership on the pros and cons.

b. It sent out questionnaires to various DOD components (with relevant responses received from CYBERCOM, 6 combatant commands, 4 combat support agencies, and 3 OSD offices, plus a collective response for DOD produced by DODs CIO); and

c. It conducted interviews with personnel from CYBERCOM, DOD CIO, and NSA/CSS.

4. Anything wrong with that methodology?

Not if your goal is to convey only DODs perspective. And to be fair, that was GAOs stated goal. But this approach is problematic.

One of the issues driving the dual-hat debate involves the tension that arises between intelligence-collection equities (which NSA would be inclined to favor) and disruption equities (which CYBERCOM would be inclined to favor), in the scenario in which access to enemy-controlled system could be used for either purpose. As a result, the Intelligence Community has a stake in this question. GAO should have reached out for input from ODNI in particular (and it also is odd that GAO only included NSA in one of the three methods mentioned above).

GAO might respond that its terms of reference were DOD-specific. Thats clearly true for certain other parts of the GAO report in question, dealing with other topics. Its less clearly the case with the dual-hat portion of the report. But even if it is, it does not follow that GAO could not include in its report any reference to possibly-competing perspectives from the IC. Indeed, I would go further and say it was a big mistake not to do so, for it was perfectly foreseeable that this report would be taken by many (especially the media) as conveying a general assessment of the dual-hat issue rather than just a DOD-specific summary of opinions, no matter how many caveats are given.

5. Fine, but it is what it is. So lets look at what GAO actually reported, starting with the three pros favoring preservation of the dual-hat arrangement. The first one asserts that the dual-hat promotes coordination and collaboration between NSA and CYBERCOM. Comments?

At bottom, this is a claim that having a common boss makes it relatively easy to collaborate when it comes to developing exploits and sorting out when and how they are used. That makes sense, and is consistent with conventional wisdom on the dual-hat situation.

6. The second pro is about how the dual-hat solves the deconfliction challenge mentioned above, but whats really interesting here is what the report implies about how that challenge would otherwise have to be managed.

As noted above, the need to deconflict when collection and disruption equities compete is a big part of this story. Here, GAO acknowledges that the status quo provides a ready-made solution. So far, so good. What is really interesting, though, is the comment GAO then makes regarding what would happen in such cases of tension in the absence of the dual-hat.

Tellingly, the report observes that, in that case, deconfliction issues would have to be taken to the Secretary of Defense and/or Director of National Intelligence for resolution (emphasis added). I love the use of and/or in that sentence. It perfectly captures a critical point: absent a dual-hat, there has to be a new deconfliction system, and yet the lead contenders for that role each have a dog in the fight. Let me expand on that a bit.

Assume we decide to end the dual-hat system, without first settling on a new deconfliction system. What then? In that case, CYBERCOM usually will win over NSA. Why? Think about it. NSA wants to use existing access to keep collecting, but CYBERCOM wants to use it to disrupt the platform. If NSA barrels ahead with its preference, nothing really changes; the target remains operational and the enemy is none the wiser, hopefully. But if CYBERCOM barrels ahead with its preference, in most instances that will shut down the target (or at least make it clear to the enemy that the target has been penetrated); no more collection at that point. NSA will lose such battles, except when DIRNSA manages to see the issue coming and gets someone over CYBERCOMs head to make them back off.

Sounds like we would need a formal system to replace the dual-hat for deconfliction then. But what would that look like? If the solution is to charge the DNI with making the call, CYBERCOM wont likely be happy. If the solution instead is to charge SecDef (or USD(I) or the like), NSA (and DNI) wont likely be happy. If the solution instead is to convene a committee of some kind with stakeholders from both sidesand that committee works by majority votethen the same problem arises (unless you find some third-party player, like the National Security Adviser, to ensure there is not a tie and that the IC and military have equal voting power).

The point being: this issue needs serious attention. I dont doubt a decent solution can be developed, but care must be taken lest we stumble into the default scenario mentioned above.

7. The third pro involves the efficient allocation of resources, but its really about the idea that NSA makes CYBERCOM possibleand that reminds us that the dual-hat isnt going away soon.

The third pro noted by GAO is that the dual-hat facilitates NSA and CYBERCOM sharing operational infrastructure (translated: hacking tools, accesses, staging servers, personnel, etc.), as well as the infrastructure for training. Of course, its pretty much a one-way street; this traditionally is all about NSA sharing its expertise with CYBERCOM as it has stood up. Legislation currently forbids separation of the dual hat until DOD can certify that CYBERCOM is truly ready to operate independently. Thats supposed to be the case by September next year, but of course its one thing to say it and quite another to achieve it.

8. Turning now to the cons, GAO introduces the idea that the dual-hat may give CYBERCOM an unfair advantage over other commands.

This one was phrased very carefully. Without saying that this problem already exists, GAO says that CYBERCOM thinks that other commands are worried that the dual-hat may in the future unduly favor CYBERCOM requests for NSA support over the requests that come from other military commands. This is an interesting twist on the more-familiar concern that military equities in general will trump collection equities. This is military-vs-military instead. At any rate, again note that it is framed as speculation rather than a current observation. That might be politeness, or it might really be purely speculative. You really cant tell from the GAO report (see my last point below, on whether any of the reports observations have strong evidentiary foundations).

9. The second con GAO lists is a bombshell: The dual-hat creates [i]ncreased potential for exposure of NSA/CSS tools and operations.

Wow. In an almost cavalier way, the GAO report links the dual-hat issue directly to the fierce, ongoing debate over the security of NSAs tools, a topic that goes to the very heart of NSAs mission. Because of the importance of that latter debate, GAOs assertion will constitute a heavy thumb on the scale in favor of separating the dual-hat, if it catches on. Time will tell if it will. For now, lets just take a closer look at the claim.

First, here is what GAO says on the subject:

The dual-hat command structure has led to a high-level of CYBERCOM dependence on NSA/CSS tools and infrastructure. According to NSA/CSS officials, the agency shares its tools and tactics for gaining access to networks with a number of U.S. government agencies, but CYBERCOMs dependence on and use of the tools and accesses is particularly prevalent. CYBERCOMs dependence on NSA/CSS tolls increases the potential that the tools could be exposed.

Lets parse the two claims here.

Does the dual-hat create CYBERCOM dependence on NSA, as the first sentence indicates? I think that has things backwards. As noted in the prior con, CYBERCOM badly needed NSA at first, and still needs it to no small extent. Thats not caused by the dual-hat. It is caused by lack of capacity. The dual-hat has been part of the solution to that need. Perhaps DOD meant to convey a different point: that keeping the status quo has become a crutch that prevents CYBERCOM from pressing faster to build its own capacities. That makes more sense.

Does CYBERCOM use of NSA tools and accesses (i.e., exploits and penetrations) increase the risk of their exposure? Put that way, the answer must be yes. Every instance of use of any exploit or access creates a new opportunity for others to discover it, and so the risk must go up each time (you might say each use increases the exposure surface). But note that weve just put the question in a non-nuanced way, without any attempt to quantify the degree of increase in the risk, let alone to place it in context with offsetting benefits or with reference to mitigation strategies for this problem. All that emerges from the GAO Report is the bottom line: CYBERCOM relies on NSA tools ostensibly because of the dual-hat, and therefore the dual-hat increases the risk of those tools getting loose. And any suggestion that a policy exacerbates that risk is bound to draw attention.

The possibility of loose NSA tools has become a flashpoint for debate, in a manner that threatens for better or worse to create new limits on the ability of NSA to develop or keep certain capacities (particularly knowledge of zero-day vulnerabilities). NSA received a substantial black eye when a Russian intelligence agency the mysterious entity identifying itself as the Shadowbrokers somehow acquired a cache of NSA-created exploits and then began dumping them publiclyespecially after one of those exploits was used in connection with WannaCry and NotPetya. Both WannaCry and NotPetya received a vast amount of media attention, much of it pinning the blame in large part on NSA. This fueled arguments to the effect that NSA should not be allowed to create or preserve such tools (or at least that current procedures for balancing the competing equities involved (building NSAs collection capacity, vs improving the security of commercially-available products) should be altered significantly so as to reduce NSAs capacities in this area).

That argument was out there before WannaCry and NotPetya broke, in fact, but once those stories broke it received a strong boost from Microsoft. As this June piece in the New York Times from Nicole Perlroth and David Sanger underscores, this perspective has gained considerable momentum with some in private industry, Congress, and foreign governments. Just this morning, former NSA Deputy Director Rick Ledgett wrote a post here at Lawfare fighting back against this argument, highlighting how important the issue is.

Whether you agree or disagree with this argument, you no doubt can appreciate how it has made the government acutely sensitive to questions about the security of NSAs tools. As a result, the argument that the dual-hat creates significant security risks for those tools has the potential to have an outsized impact on the dual-hat debate. Which is a good thing, if the argument is a persuasive one. Unfortunately, the GAO report does not come anywhere close to giving us enough information to judge the matter. And yet this part of the report grabbed headlines in some quarters (see this piece in NextGov, titled GAO: Keeping NSA and CyberCom Together Makes Hacking Tool Leaks More Likely).

10. The next con listed by GAO: NSA and CYBERCOM are too much for any one person to manage.

Thats a familiar and serious concern, and it is unsurprising that it arose here. It is entangled to some extent with the deconfliction issue, of course, but at the end of the day being Director of NSA and Commander of CYBERCOM both concern vastly more than deconfliction.

11. The next con on the list? Strangely, its the deconfliction issue, which we already discussed above as a pro for the dual-hat. What gives?

It is telling that the deconfliction issue pops up both as a pro and a con. As noted above, the dual-hat is a good thing for deconfliction insofar as one thinks there ought to be a single decision-maker who takes both collection and disruption equities seriously. But here we now see the flip-side of the argument, as GAO reports that personnel from both NSA and CYBERCOM (including a senior-level official) told GAO that the dual-hat leads to increased tension between NSA and CYBERCOM staffs, because their respective collection and disruption missions may not always be mutually achievable.

You know what Im going to say, I suspect. The tension is caused by the combination of incompatible missions and shared tools/accesses. Thats not the dual-hats fault. The dual-hat is one solution to resolving the tension. As I have noted here, there clearly is a view in some circles that the fix is in with the dual-hat, in favor of NSAs collection mission. Maybe thats right, maybe its not. But at any rate, listing the dual-hat as a con here seems to be a reflection of that perspective.

12. The last con on the list has to do with difficulties in tracking expenditures the NSA makes on behalf of CYBERCOM

This may well be a very important issue, but it seems to me the sort of thing to be addressed through improved procedures, and should not matter much in deciding whether to keep the dual-hat.

13. How strong is the evidence supporting the various pro and con claims?

I recommend caution. We get a description of GAOs methods, as noted above, but of course we do not also get the underlying documents, interview notes, etc. And the reports narrative on each point is exceedingly thin, no longer really than what Im providing here. Note, too, my earlier observation that GAO does not appear to have sought the views of ODNI, and only sought NSA views to a limited extent. None of which is to say that any of the observations are incorrect, of course.

Read the original here:
Separating NSA and CYBERCOM? Be Careful When Reading the GAO Report - Lawfare (blog)